SecurityvulnsSECURITYVULNS:DOC:29948[ISecAuditors Security Advisories] HTTP Response Splitting Vulnerability in WebCollab <= v3.30
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-011
- Original release date: March 21st, 2013
- Last revised: March 21st, 2013
- Discovered by: Manuel Garcia Cardenas
- Severity: 5/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2652
=============================================
I. VULNERABILITY
HTTP Response Splitting Vulnerability in WebCollab <= v3.30
II. BACKGROUND
WebCollab is a collaborative Web site for project workgroups. It aims to
be easy and intuitive to
use without being complicated or graphically intensive.
It uses a MySQL/PostgreSQL database backend coupled with PHP scripting
and the Apache webserver.
The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.
III. DESCRIPTION
An input validation problem exists within WebCollab which allows
injecting CR (carriage return -
%0D or \r) and LF (line feed - %0A or \n) characters into the server
HTTP response header,
resulting in a HTTP Response Splitting Vulnerability.
The vulnerability exists in the "item" parameter on the page
"/help/help_language.php".
This vulnerability not only gives attackers control of the remaining
headers and body of the
server response, but also allows them to create additional responses
entirely under their
control.
IV. PROOF OF CONCEPT
Malicious Request:
%20WriteYourOwnHeader&lang=en&type=help
Server Response:
HTTP/1.1 302 Found
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
Location: http://vulnerablesite.com/webcollab/help/en_help.php#
FakeHeader: WriteYourOwnHeader
Content-Length: 0
Content-Type: text/html
V. BUSINESS IMPACT
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site,
potentially allowing an attacker to steal cookie-based authentication
credentials, control how
the site is rendered to the user, and influence or misrepresent how web
content is served,
cached, or interpreted. Other attacks are also possible.
VI. SYSTEMS AFFECTED
WebCollab <= v3.30
VII. SOLUTION
All data received by the application and can be modified by the user,
before making any kind of
transaction with them must be validated.
Validate the parameter "item" on the page "/help/help_language.php" line 34:
$help_item = $_GET['item'];
switch($_GET['type'] ) {
case 'admin':
header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item );
break;
case 'help':
default:
header('Location:
'.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item );
break;
VIII. REFERENCES
http://webcollab.sourceforge.net
http://www.isecauditors.com
IX. CREDITS
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).
X. REVISION HISTORY
March 21, 2013: Initial release
XI. DISCLOSURE TIMELINE
March 21, 2013: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 22, 2013: CVE-ID requested and received.
October 17, 2013: First contact with the developer. We send pre-advisory
October 18, 2013: Developer team release a new version
October 24, 2013: Advisory Release
XII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with
no warranties or
guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse
of this information.
XIII. ABOUT
Internet Security Auditors is a Spain based leader in web application
testing, network security,
penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as
finance, telecommunications, insurance, ITC, etc.
We are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include
vulnerability research, open security project
collaboration and whitepapers, presentations and security events
participation and promotion. For
further information regarding our security
services, contact us.
Related
